Botnets

The rise of the botnet is an interesting feature of contemporary computing. Essentially, it is a network of compromised computers belonging to individuals and businesses, now in control of some other individual or group without the knowledge or permission of the former group. These networks are used to spread spam, defraud people, and otherwise exploit the internet system.

A combination of factors have contributed to the present situation. The first is how virtually all computers are now networked. Using a laptop on a plane is a disconcerting experience, because you just expect to be able to check the BBC headlines or access some notes you put online. The second is the relative insecurity of operating systems. Some seem to be more secure than others, namely Linux and Mac OS X, but that may be more because fewer people use them than because they are fundamentally more secure. In a population of 95% sheep, sheep diseases will spread a lot faster than diseases that affect the goats who are the other 5%. The last important factor is the degree to which both individuals and businesses are relatively unconcerned (and not particularly liable) when it comes to what their hijacked computers might be up to.

Botnets potentially affect international peace and security, as well. Witness the recent cyberattacks unleashed against Estonia. While some evidence suggests they were undertaken by the Russian government, it is very hard to know with certainty. The difficulty of defending against such attacks also reveals certain worrisome problems with the present internet architecture.

At this point, armed with the IP addresses of current bots, it is possible to trace the command and control server of the botnet with cooperation from network administrators who have bots on their network. By monitoring and correlating network flows, the command center was soon tracked to a server at a co-location facility located in the U.S., one that is well known to malware researchers as a frequent host of this type of activity.

These clues also led us to the name of the malware behind the botnet – Trojan.Srizbi. Based on this we were able to locate several variants for testing, the earliest one having been compiled on March 31, 2007. At the end of June, Symantec wrote a fairly detailed blog entry about Srizbi. Information concerning technical details of Srizbi and its removal is available from various anti-virus firms, and will not be covered here.

How Srizbi is Spread

Analysis of recently compromised machines indicated that Srizbi is being spread by the n404 web exploit kit, through the malicious site msiesettings.com. This is a well-known “iframe affiliate” malware install site, where the site owner gets paid by different botnet owners for spreading their malware. A trojan is installed by the exploit kit which regularly requests a remote configuration file containing URLs of additional malware to download and install. Previous reports have implicated the use of the MPack web exploit kit in spreading Srizbi as well, so it seems this is the Srizbi author’s preferred method of building the botnet.

Unfortunately for Srizbi’s author, this approach may have some drawbacks – one machine we analyzed was infected with no less than nine other spambots, belonging to the malware families Ascesso, Cutwail, Rustock, Spamthru, Wopla and Xorpix. While installing multiple spambots may increase profits for the web exploiter, it forces the different spam engines to share resources and bandwidth. Some of these spambots utilize a great deal of CPU time and memory, which means not only is the system less efficient for the other spammers’ use, but may force the victim to seek technical help to fix their “slow” machine, leading to premature removal of the bots. It also is likely to land the IP address of the infected machine in DNS blocklists much faster, rendering the bot much less effective in bypassing spam filtering.

“We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don’t have to: I’ve been working with the Honeynet Project’sTillmann Werner and Felix Leder, who have been digging into Conficker’s profile on the network. What we’ve found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it’s infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis’ Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It’s been one heck of a weekend.”

“ZDNet has a story (and several related articles) about how Symantec has discovered evidence of an all-Mac based botnet that is actively involved in a DOS attack. Apparently, security on the exploited Macs (call them iBots?) was compromised when unwary users bit-torrented pirated copies of iWork 09 and Photoshop CS4 that contained malware. From the article: ‘They describe this as the “first real attempt to create a Mac botnet” and notes that the zombie Macs are already being used for nefarious purposes.'”

Several of the characteristics of botnets are not only significant in and of themselves, but are emblematic of some of the unique challenges that cyberwarfare as a whole presents.

Botnets — a conglomeration of thousands (or more) hijacked computers known as zombies — are an important aspect of cyberwarfare. These networks can amass the processing power of many computers and servers from all across the globe and direct them at targets anywhere in the world. Botnets are one of the reasons STRATFOR has begun its coverage of cyberwarfare not with the amassed capabilities of an entire nation, but the transnational and subnational nature of the Internet itself.

Roughly 1 million computers and servers reportedly were involved in the 2007 attacks on Estonian networks — the systems were located in some 75 countries, many of them Tallinn’s NATO allies. This happened autonomously as individual bots took control of computers and began to take direction from those controlling the botnets. More recent attacks on Radio Free Europe/Radio Liberty in Belarus and other countries were distributed denial-of-service (DDoS) attacks, characteristic of botnets.

In DDoS attacks, individual bots can direct their computers to repeatedly access a particular target network or Web site — with the entire network of zombies doing so at the same time. These kinds of attacks, depending on their scale and the target system’s ability to cope, can begin to degrade accessibility or completely overwhelm and shut down access to that network, Web site or server. They can also autonomously exploit a user’s address book and e-mail server to send out spam or infected e-mails or distribute other types of malicious software — including copies of itself to further expand the network.

While some of this may seem like a computer security issue (which, of course, it is), Estonia’s example shows that these botnets can be used in geopolitically significant ways, degrading both a target nation’s economic functions and its continuity of government. And because the software to construct botnets often is written by individuals, the botnets are often controlled by subnational actors — be they hackers, terrorist organizations or cybercriminals. (Less effective botnets can be created by downloading existing software from the Internet, but because they are widely available, systems with up-to-date security software are generally already protected against them.) Even if they are wielded by a national actor, botnets can offer an anonymous and deniable avenue of attack (as may have been the case in both Estonia and Belarus). Indeed, in addition to cybermercenaries’ offering their own botnets for use, botnets might be emerging as offerings for sale on a sort of Internet arms market.

The Register is reporting on the takedown of a botnet once responsible for 1/3 of the world’s spam. The deed was done by researchers from the security firm FireEye, who detailed the action in a series of blog posts. PC World’s coverage estimates that lately the botnet has accounted for 4% of spam.

What particularly stands out about the EFTPS exploit toolkit is their admin interface. Note that it’s common for most exploit toolkits to contain an admin interface that manages exploits, payloads, and tracks exploit success rates. However, the EFTPS exploit toolkit contains a completely fake admin console. This admin interface acts as a “hacker honeypot” that records detailed information about who attempted to access the admin console, as well as who attempted to hack into it. The fake login system conveniently accepts default/easily guessed credentials and common SQL injection strings…